1 / 60

Incident Handling Foundations

Incident Handling Foundations. Agenda. What is incident handling? Why is it important? What is an incident? Fundamentals The Six Step process Legal issues. Incident Handling.

lynn
Download Presentation

Incident Handling Foundations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Incident Handling Foundations

  2. Agenda • What is incident handling? • Why is it important? • What is an incident? • Fundamentals • The Six Step process • Legal issues

  3. Incident Handling • Incident Handling is an action plan for dealing with intrusions, cyber-theft, denial of service, malicious code, fire, floods, and other security-related events. • Having procedures and policy in place so you know what to do when an incident occurs

  4. Why is it Important? • Sooner or later an incident is going to occur. Do you know what to do? • It is not a matter of .if. but .when. • Planning is everything • Similar to backups - You might not use it every day, but if a major problem occurs you are going to be glad that you did

  5. Legal Aspects of IncidentHandling • Plans, policies and procedures developed for incident handling must comply with applicable laws. • This is not a legal course, have them reviewed by legal counsel.

  6. What is an Incident? • An .incident. is an adverse event in an information system, and/or network, or the threat of the occurrence of such an event. • Incident implies harm, or the attempt to do harm. • The fact that an incident has occurred may mean a law has been broken

  7. Types of Incidents • Bombings, Explosions • Earthquakes, Fires, Floods • Power outages, Storms • Hardware/software failures • Strikes, Employees unavailable • Hazard material spills • Cyber-theft, Intellectual property theft • Viruses, worms or other malicious software • Unauthorized use • Intrusions, Internal or external attack • Denial of Service.

  8. What is an Event? • An .event. is any observable occurrence in a system and/or network. Examples of events include: • the system boot sequence • a system crash • packet flooding within a network • These observable events compose an incident • All incidents are composed of events, but not all events are incidents

  9. Examples of an Incident • Which of the following is an incident ? 1. An attacker running NetBIOS scans against a UNIX system. 2. An attacker exploiting Sendmail on a UNIX system. 3. A backup tape containing sensitive information is missing.

  10. Overview of the Incident Handling Process • Incident Handling is similar to first aid. The caregiver tends to be under pressure and mistakes can be very costly. A simple, well- understood approach is best.

  11. Incident Handling. 6 Steps • Preparation • Identification • Containment • Eradication • Recovery • Lessons Learned

  12. Preparation Getting your environment and team ready to handle incidents

  13. Preparation The Goal of Preparation is to Get Your Team ready to handle incidents • Policy • People • Data • Software/Hardware • Communication • Supplies • Transportation • Space • Power and Environment control • Documentation

  14. Preparation Key Points • Be Calm • Take Notes,Logs,etc.. • Hand Written Notes are a great Help • Use Time Stamps in the Notes. • Management Support • Regular Reports (Preferred Monthly) • Graphically illustrated Reports

  15. Preparation Key Points • Build An Incident Handling Team • Identify qualified People • Multi- disciplinary Team is the best • Network • Security • Operations • Systems • HR

  16. Preparation Key Points • Prepare System Built Checklist • Procedures of Backing Up and Rebuilding systems • Getting Access to systems and Data • Incident Handling Team Need to have access the System(Even without notifying system admins) • Strike a Bargain with the Operation Team • Establish a War Room

  17. Preparation Key Points • Train The Team • Conduct training scenarios • Deploy an internal Honey Pot • Conduct War Games • Pen Tests • Do This with more experienced teams • Cultivate Good Relationships • Helpdesk • Sys admins , network admins

  18. Preparation Key Points Jump Bag • Get a bag and load it with items that you might use in an incident. • Never steal from this bag • Use check list while loading the bag

  19. Jump Bag –Software • Binary image creation software • dd,windd,cryptcat,netcat • Forensics tools • Sleuth Kit , Autospy (Free) , Encase, Xways • Diagnostic Softwares : • No XPE • Helix (Great Tool) • Backtrack

  20. Jump Bag –Hardware • USB Drives • External Hard Disks • HUB OR TAB (No switch) • Patch cables • Laptop with Multi-OS • A Lot of RAM • Jumpers ,Flashlight, Tweezers ,Dental Mirror, Business Cards

  21. Identification Detecting Deviation from the norm and attempts to do harm

  22. Identification phase • The Goal is to gather events ,analyze them, and determine if it is an incident.

  23. Identification-Points to keep in mined • Be Willing to alerts early. • Do not be afraid to declare an incident • Maintain situation awareness • Provide current intelligence • Correlate information • Assign Primary Handler • Try to assign a helper (WHY?) • Control the flow of information (Need to Know)

  24. Identifications • Communication Channels • You can not trust the network if you suspect you have an attack • Use out-of-band Communication • Be careful with (VoIP) • Wireshark • VOMIT

  25. Where does Identification Occur? • Network Detection • Host Detection • System detection

  26. Signs of an Incident • IDS tool has an alert • Unexplained entries in a log file • Failed events, such as logon • Unexplained events (new accounts) • System reboots • Poor performance

  27. Cheat sheets • SANS -Windows cheat sheet • SANS-Linux cheat sheet

  28. Containment Stopping the Damage and making Forensics images

  29. Containment • The Goal is to stop the bleeding. • Stop the attacker to get any deeper. • We will cover the following: • The Sub-phases of containment. • Methods of short-term containment • Backup • Method of long term containment.

  30. Short-term Containment • Disconnect network cable • Pull power cable • Isolate the attacked server on a separate switch • Apply filters(FW) • Change the DNS names to point to a different IP address

  31. ISP coordination • Coordinate with your ISP ,regarding external attacks. • Large packet floods , warms, bot-nets.

  32. Initial analysis • Keep low profile • Analyze the copy of the forensic image: • Make an image ASAP • Use Blank Media • If possible take bit-by-bit image • Never analyze the original. • Keep original Pristine for evidence.

  33. Isolate the system • First thing you isolate , then image. • Use CD do not use USB. • Do not grace shutdown the system. • Store the image in safe place. • Original (Evidence) • Image1 (May be put back into production) • Image2 (Analysis) • Use drive duplicators if possible • Train on the image creation.

  34. Continuing Operation • Acquire the logs and other sources of information. • Review logs from neighboring systems. • How far did the attacker get. • Make recommendation for log term containment. • It is a business decision

  35. Long-Term Containment • As long as you got your evidence and image backup , you can make changes to the system. • Ideal: keep system off line. • Less than ideal :if system must be kept in production , perform long term Containment.

  36. Long Term containment • Numerous potential actions: • Patching the system and nighbourng systems. • Change password • Null routing ??? • FW • Remove accounts used by attackers. • Do not forget (you still need to eradicate) • The ideal long-term containment is to apply temporary solution tell you build a clean system.

  37. Eradication Cleaning up and removing the artifacts done by the attacker

  38. Eradication • By stopping the bleeding I need to eradicate, or to get rid of any attacker’s artifacts. • In this phase we determent the cause and the effect of the Incident: • By analyzing all data . • Isolating the system and studying the attack patterns.

  39. Eradication • Locate the most recent CLEAN backup • In the case of suspecting root kit attack ,please rebuild the system from scratch • Remove malicious soft wares: • Virus • Backdoor • Rootkits or Kernal level rootkits

  40. Improve your Defenses • Now the Attackers got you : • Implement the appropriate protection: • Firewalls. • New name /IP for the system • Null routing • Hardening • Patching

  41. Vulnerability assessment • Perform Vulnerability analysis • Network assessment • System assessment • Scan the entire network for interesting ports. • Nessus, is a big help. • Remember the attacker often uses the same exploit and backdoor on multiple machines , so look for them in multiple environments.

  42. Recovery Getting Back to business … Carefully.

  43. Validation • The goal of recovery is to put the impacted system back to production in safe manner. • Validate the system • Verify the operation of the system. • Let the business unit test with you

  44. Restoring Operations • Usually at off hours timeslots • It is easier to monitor at these times. • The final decision is in the hands if the business team. • Provide your advice but remember it is their call.

  45. Monitor • Once the system is back online, continues and deep monitor is required. • Utilize all possible means of monitoring. • You can create a custom signature of the original attack vector • Check operating system and application logs extra carefully.

  46. Lesson Learned Documentation and improving operations to prevent the incident to happen again

  47. Lesson Learned • The hole point of the lesson learned phase is to Document what happened in the incident ,learn from our mistakes and to improve our capabilities. • It is the most Important pahse.

  48. Follow-up • Develop a report • Try to get consensus • Conduct lessons learned meeting • Send recommendations to management • Follow-up meeting

  49. Seven Deadly Sins-Chronological order

  50. Seven Deadly Sins-Chronological order • Failure to report and ask for help. • Incomplete/non-existent notes • Mishandling/Destroying evidence • Failure to create a working image • Failure to contain or eradicate. • Failure to Prevent re-infection • Failure to apply the lesson learned

More Related